WannaCry shows we need to understand why organizations don't patch

Posted by   Martijn Grooten on   May 17, 2017

For the past few days, the world of Infosec on Twitter has tried to find as many ways as possible of saying "we told you so".

To be fair, it's true – we did tell you so: for years we have warned of the dangers of not patching, of not keeping backups, and of running services one doesn't really need. Infosec does indeed have a pretty good track record of predicting the most serious cyber attacks. Unfortunately, it achieves this by constantly predicting doom, so that eventually it ends up being right.

Remember, for example, the 2015 vulnerability found in the Stagefright Android library? "In the worst case scenario, the exploit could be turned into a worm of a size not seen for a very long time," I wrote in a blog post, echoing what everyone else was saying around that time. Yet, despite the still deplorable state of Android patching, we have yet to see such a worm. In fact, I am not aware of any use of the Stagefright vulnerability in the wild. Stagefright isn't an exception: most vulnerabilities, even many of those that sound really bad, are rarely, if ever, exploited in the wild.

stagefrightflaw.jpg


So maybe the question we should be asking about WannaCry is not "why do so many organisations allow unpatched machines to exist on their networks?" but "why doesn't patching work reasonably well most of the time?".

Indeed, not patching may well be the most effective short-term strategy. With a few exceptions, such as browser plug-ins and open-source CMSs, exploitation of vulnerabilities right after they have been patched is rare. It may actually be more common to encounter problems arising from patches that go wrong.

Of course, patching is the sensible long-term approach, even if one can spend years running out-of-date systems before something as bad as WannaCry hits. A dedicated security team can help make patching a mostly painless procedure. Such teams aren't cheap though, and this, together with the price of some more advanced security products, may be the real issue: many organizations simply don't have the money we believe they should be spending on security. Repeatedly labouring the point that they should spend the money anyway may not always be the most effective approach.

When I was putting together the programme for VB2017, I wanted to include a number of talks by people who could provide a view from organizations that don't have lots of cash to throw at the security problem; I am pleased that the programme, which went live earlier this month, does indeed include several such talks.

vb2017-montage-sm.jpg


Most relevant to WannaCry is the talk by Jelena Milosevic, who works as a hospital nurse and has a passion for security; she is thus very well qualified to provide a behind-the-scenes view of healthcare security. But I am just as much looking forward to hearing Claus Cramon Houmann, who will talk about his time as a CISO for a small bank, and will share how to achieve 'minimum viable security' on a small budget.

Claus-Houmann-web.jpgClaus Cramon Houmann will talk about his time as a CISO for a small bank.


I am also looking forward to the presentation by Tyrus Kamau (Euclid Consultancy), who will talk about the state of cybersecurity in Kenya. It will be interesting to see how different, or maybe how similar, the threat landscape is in a country that has less money to spend in general, and thus less on security in particular. Maybe tighter budgets have made people more inventive and not necessarily less secure.

Another group that doesn't have a lot of money is 'civil society': NGOs, human rights activists, journalists, and so on. Many of them are volunteers or work for little money; they certainly don't have the funds to get a well-paid CISO or to spend on fancy and probably very effective security tools. Claudio Guarnieri, currently working for Amnesty International, but also one of the people behind the open-source Cuckoo Sandbox, will talk about the threats these people and organizations are facing.

If you're reading this, you probably work in security. It is your job to tell others how to make their systems more secure – and please continue to do so! But don't forget also to listen to those fighting security in the real world, and to make an effort to understand the constraints they operate under.

VB2017 will take 4-6 October in Madrid, Spain. Registration is now open - register before 30 June 2017 to qualify for the early bird rate!

VB2017-325w.jpg

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

Didn't come to VB2017? Tell us why!

Virus Bulletin is a company - and a conference - with a mission: to further the research in and facilitate the fight against digital threats. To help us in this mission, we want to hear from those who didn't come to Madrid. What is your impression of…

Montreal will host VB2018

Last week, we announced the full details of VB2018, which will take place 3-5 October 2018 at the Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada.

VB2017 preview: Beyond lexical and PDNS (guest blog)

In a special guest blog post, VB2017 Silver sponsor Cisco Umbrella writes about a paper that researchers Dhia Mahjoub and David Rodriguez will present at the conference this Friday.

Avast to present technical details of CCleaner hack at VB2017

The recently discovered malicious CCleaner version has become one of the biggest security stories of 2017. Two researchers from Avast, the company that had recently acquired CCleaner developer Piriform, will share the results of their investigations…

VB2017 preview: Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

We preview the VB2017 paper by Kaspersky Lab researchers Juan Andrés Guerrero-Saade and Costin Raiu on fourth-party collection and its implications for attack attribution.